kinow commented on PR #371: URL: https://github.com/apache/commons-io/pull/371#issuecomment-1199978976
@ JLLeitschuh I think I understand the time limitation you have to work privately with organizations, and also to work on tests. What about integrating your tool with another existing tool like Google OSS Fuzz? I am not sure if your tool is a fuzzer, or a static or runtime analyzer that tries to use existing exploits against code bases. Maybe there are other tools like Sonarcloud that also support these analyzers. The advantage of integrating with a tool like OSS Fuzz, for instance, is that they already have a workflow that is used by organizations like ASF, and a process for private disclosure of issues. Otherwise, even though I believe fixing these issues is beneficial to users, in the end your pull requests may end up stalled for a long time until a volunteer has time to reproduce, add tests, prepare the CVE/disclosure, etc. And it wouldn't be doing any benefit to users or maintainers in this case. Cheers -Bruno -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
